Iran behind recent bank hacks, officials say

The attackers hit one U.S. bank after the next. As in so many previous attacks, dozens of online banking sites slowed, hiccupped or ground to a halt before recovering several minutes later.

But there was something disturbingly different about the wave of online attacks on U.S. banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

The skill required to carry out attacks on this scale has convinced U.S. government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.

''There is no doubt within the U.S. government that Iran is behind these attacks," said James A. Lewis, a former official in the departments of State and Commerce and a computer security expert at the Center for Strategic and International Studies in Washington.

Lewis said the amount of traffic flooding U.S. banking sites was "multiple times" the amount that Russia directed at Estonia in a monthlong online assault in 2007 that nearly crippled the Baltic nation. U.S. officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.

''The scale, the scope and the effectiveness of these attacks have been unprecedented," said Carl Herberger, vice president of security solutions at Radware, a security firm that has been investigating the attacks on behalf of banks and cloud service providers. "There have never been this many financial institutions under this much duress."

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC. They employed DDoS attacks, or distributed denial of service attacks, named because hackers deny customers service by directing large volumes of traffic to a site until it collapses. No bank accounts were breached and no customers' money was taken.

By using data centers, the attackers are simply keeping up with the times. Companies and consumers are increasingly conducting their business over large-scale "clouds" of hundreds, even thousands, of networked computer servers. These clouds are run by Amazon and Google, but also by many smaller players who commonly rent them to other companies. It appears the hackers remotely hijacked some of these clouds and used the computing power to take down American banking sites.

''There's a sense now that attackers are crafting their own private clouds," either by creating networks of individual machines or by stealing resources wholesale from poorly maintained corporate clouds, said John Kindervag, an analyst at Forrester Research.

How, exactly, attackers are hijacking data centers is still a mystery. Making matters more complex, they have simultaneously introduced another weapon: encrypted DDoS attacks. Banks encrypt customers' online transactions for security, but the encryption process consumes system resources. By flooding banking sites with encryption requests, attackers can further slow or cripple sites with fewer requests.

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks. The group said it attacked the banks in retaliation for an anti-Islam video that mocked the Prophet Muhammad, and pledged to continue its campaign until the video was scrubbed from the Internet. It called the campaign Operation Ababil, a reference to a story in the Quran in which Allah sends swallows to defeat an army of elephants dispatched by the king of Yemen to attack Mecca in A.D. 571.

But U.S. intelligence officials say the group is actually a cover for Iran. They claim Iran is waging the attacks in retaliation for Western economic sanctions and for a series of cyberattacks on its own systems. In the last three years, three sophisticated computer viruses — called Flame, Duqu and Stuxnet — have hit computers in Iran. The New York Times reported last year that the United States, together with Israel, was responsible for Stuxnet, the virus used to destroy centrifuges in an Iranian nuclear facility in 2010.

''It's a bit of a grudge match," said Lewis of the Center for Strategic and International Studies. Researchers at Radware who investigated the attacks for several banks found that the traffic was coming from data centers around the world. They discovered that various cloud services and public Web hosting services had been infected with a particularly sophisticated form of malware, called Itsoknoproblembro, that was designed to evade detection by antivirus programs. The malware has existed for years, but the banking attacks were the first time it used data centers to attack external victims.

Botnets, or networks of individual infected slave computers, can typically be traced back to a command and control center, but security experts say Itsoknoproblembro was engineered to make it very difficult to tie it to one party. Security researchers have come up with a new name for servers infected with Itsoknoproblembro: they call them "bRobots."

In an amateur botnet, the command and control center can be easily identified, but Herberger said it had been nearly impossible to do so in this case, suggesting to him that "the campaign may be state-sponsored versus amateur malware."

Attackers used the infected servers to fire traffic simultaneously at each banking site until it slowed or collapsed. By infecting data centers instead of computers, the hackers obtained the computing power to mount enormous denial of service attacks. One of the banks had 40 gigabits of Internet capacity, Herberger said, a huge amount when you consider that a midsize business may only have one gigabit. But some banks were hit with a sustained flood of traffic that peaked at 70 gigabits.

Herberger declined to say which cloud service providers had been compromised, citing nondisclosure agreements with Radware's clients, but he said that each new bank attack provided evidence that more data centers had been infected and exploited.

The attackers said last week that they had no intention of halting their campaign. "Officials of American banks must expect our massive attacks," they wrote. "From now on, none of the U.S. banks will be safe."